skip to Main Content

Top Email Security Hacks to Avoid in 2023 – Part I

Phishing attacks and email hacks to get to your data have grown exponentially over the last decade, and you can expect to see these eight security hacks in 2023.

Today phishing schemes are becoming more challenging to identify. This two-part blog will identify eight clever phishing schemes to avoid over the next year.

Email Hacks to Avoid – The List

1. Simple use of malicious URLs or executable code in the body of the email.

In the early 2000s it became obvious that email scammers existed. Looking back, the progression has included automated campaigns, new engaging subject lines, and simple sender impersonation. Every time users caught on, a new phishing strategy entered the scene. Seeing fewer malicious URLs and executable code in the body of emails – as we have this year – has been a clear warning that email is a top target for hackers.

2. Sharp rise in the use of HTML and PDF attachments that SEGs do not block.

The attacker has a simple script tag in JavaScript in the HTML attachment that redirects the victim’s browser to a malicious site. The attacker puts his JavaScript in the attachment because most email clients won’t run JavaScript in the body of the email. By putting the JavaScript in the attachment, the attacker is hoping the user clicks on it, which will then open in a full browser, which of course, will happily run the JavaScript.

Why this works:

This phishing scheme is successful because legacy email protection systems don’t generally scan HTML attachments as they do the body of the email itself – and even if they do, they do not remove JavaScript. In most systems, the attacker is able to sidestep the email protection system by moving his malicious payload to an attachment.

3. Cybercriminals are using indirect and multi-step methods to lure in the end user, making the experience feel more real.

Different people have their own level of awareness when it comes to recognizing a potential phishing email. For most people, that level of awareness is based on sure tell-tale signs of phishing they were trained to look for, such as suspicious links, unknown senders, or an unfamiliar greeting. In this case, everything looks legit… but it’s not!

4. Expect more “personalized” phishing attempts.

In short, a fake sender lifts someone’s title from social media (usually LinkedIn) and creates a personalized site with the end user’s domain.

The attacker has a generic template and customizes it for each recipient site and company identity. Via Google search, the site automatically retrieves the favicon image of the recipient’s domain to create a personalized phishing site in real time.  It’s essentially a magic impersonation redirect hosted by Google and is always available to the attacker at no cost.

New call-to-action

Want to secure and protect your email from hackers?

Blue Fox Group can help. In addition to advanced email security monitoring and protection, we provide the following services:

  • Review of your security posture and gaps
  • Review any regulatory compliance activity and requirements
  • Determine how to store and safeguard large amounts of sensitive data through Detection & Response and Encrypted backup services.
  • Build a Remote Employee Security Checklist
  • Implement Multi-factor Authentication & Phishing Security 3.0
Find a time to talk.
Back To Top